Results 1 to 3 of 3

Thread: Juniper SSG-140 <-> PIX

  1. #1
    Jean Figueiredo
    Guest

    Juniper SSG-140 <-> PIX

    Hello all,

    I have severals problems with vpn connection because the proxy-id.

    +--------+ +--------+
    | LAN A | <---Juniper------[WAN]----PIX-----> | LAN B |
    +--------+ +--------+

    Networks over LAN A
    10.20.33.0/24
    192.168.244.0/23
    172.16.0.0/16

    In the Lan B

    192.168.2.128/27

    so i need 3 proxy-id, but in this juniper just permit one.

    anybody have solution?


    Regards,

    ps: Sorry my bad english :(


  2. #2
    Burkhard Ott
    Guest

    Re: Juniper SSG-140 <-> PIX

    On Wed, 14 Oct 2009 01:25:40 +0100, Jean Figueiredo wrote:

    > Hello all,
    >
    > I have severals problems with vpn connection because the proxy-id.
    >
    > +--------+ +--------+
    > | LAN A | <---Juniper------[WAN]----PIX-----> | LAN B | +--------

    +
    > +--------+
    >
    > Networks over LAN A
    > 10.20.33.0/24
    > 192.168.244.0/23
    > 172.16.0.0/16
    >
    > In the Lan B
    >
    > 192.168.2.128/27
    >
    > so i need 3 proxy-id, but in this juniper just permit one.
    >
    > anybody have solution?
    >
    >
    > Regards,
    >
    > ps: Sorry my bad english :(


    Hey,

    there are serveral solutions for that but it depends on you setup.

    1.
    You can define 1 IPSec SA and NAT all 3 Networks behind this address.

    +-------+
    | LAN A |->DIP Table 1.1.1.0/24->[WAN]<-PIX SA 1.1.1.0/24: LAN B
    +-------+

    In this case every IP you listed above would be one of 1.1.1.x, juniper
    use one dynamically or if you just need exactely 1 define a /32 IP.

    2.
    If you don't wanna use the NAT (it's called PAT in you juniper docu)
    solution you need to define all 3 x 1 SA in your juniper.

    eg:
    set vpn PIXtunnel proxy-id 10.20.33.0/24 remote-ip LAN B
    set vpn PIXtunnel proxy-id 192.168.244.0/23 remote-ip LAN B
    set vpn PIXtunnel proxy-id 172.16.0.0/16 remote-ip LAN B

    Where PIXtunnel is your defined Phase1.

    3.
    You can define a policy based tunnel

    As far as I know Cisco doesn't support routed tunnels via lo interfaces,
    betwwen 2 netscreens you can define a lo device with a (non used) RFC1918
    IP and just route the traffic through, the netscreen on the other side
    will set the backroute on the other site automatically.

    cheers

  3. #3
    Jean Figueiredo
    Guest

    Re: Juniper SSG-140 <-> PIX

    Hey,

    i did try with policy based tunnel and this works :)

    Thanks very much :)

    Cheers,




    Burkhard Ott wrote:
    > On Wed, 14 Oct 2009 01:25:40 +0100, Jean Figueiredo wrote:
    >
    >> Hello all,
    >>
    >> I have severals problems with vpn connection because the proxy-id.
    >>
    >> +--------+ +--------+
    >> | LAN A | <---Juniper------[WAN]----PIX-----> | LAN B | +--------

    > +
    >> +--------+
    >>
    >> Networks over LAN A
    >> 10.20.33.0/24
    >> 192.168.244.0/23
    >> 172.16.0.0/16
    >>
    >> In the Lan B
    >>
    >> 192.168.2.128/27
    >>
    >> so i need 3 proxy-id, but in this juniper just permit one.
    >>
    >> anybody have solution?
    >>
    >>
    >> Regards,
    >>
    >> ps: Sorry my bad english :(

    >
    > Hey,
    >
    > there are serveral solutions for that but it depends on you setup.
    >
    > 1.
    > You can define 1 IPSec SA and NAT all 3 Networks behind this address.
    >
    > +-------+
    > | LAN A |->DIP Table 1.1.1.0/24->[WAN]<-PIX SA 1.1.1.0/24: LAN B
    > +-------+
    >
    > In this case every IP you listed above would be one of 1.1.1.x, juniper
    > use one dynamically or if you just need exactely 1 define a /32 IP.
    >
    > 2.
    > If you don't wanna use the NAT (it's called PAT in you juniper docu)
    > solution you need to define all 3 x 1 SA in your juniper.
    >
    > eg:
    > set vpn PIXtunnel proxy-id 10.20.33.0/24 remote-ip LAN B
    > set vpn PIXtunnel proxy-id 192.168.244.0/23 remote-ip LAN B
    > set vpn PIXtunnel proxy-id 172.16.0.0/16 remote-ip LAN B
    >
    > Where PIXtunnel is your defined Phase1.
    >
    > 3.
    > You can define a policy based tunnel
    >
    > As far as I know Cisco doesn't support routed tunnels via lo interfaces,
    > betwwen 2 netscreens you can define a lo device with a (non used) RFC1918
    > IP and just route the traffic through, the netscreen on the other side
    > will set the backroute on the other site automatically.
    >
    > cheers


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •